Safekeeping Patient Records Off-Site

Among the first things practices should do is set up a check-out/check-in system.

Practice managers know that protected health information (PHI) in a practice needs to be secured. But what if PHI is transferred or kept off-site? HIPAA provides little guidance for keeping those records safe, and practices still get caught without policies relating to it even when they know staff is transporting PHI.

In 2016, the Office for Civil Rights (OCR) in the US Department of Health & Human Services required Lincare Inc. to pay nearly $240,000 in civil fines when an employee left patient files under a bed and in her car. Her husband had access to both places and, when she moved out of the house, he reported the records to OCR.

Chris Apgar, president and CEO of Apgar & Associates LLC, based in Portland, Oregon, said he worked with a medical group that had a physician going through a home foreclosure. When someone went into the house sometime later, they found a number of abandoned medical records. “The group didn't have much in place to deal with that,” Apgar said.

As with many HIPAA violations, if practices have policies and procedures in place for safeguarding PHI and can show that they are trying to abide by them, OCR will be much more lenient should a breach occur. In part, that was why Lincare was fined. The organization, which provided home care services, was aware staff was taking documents out of the office, but they had no policies to guard the information.

Managing the situation

To avoid the issue altogether, practices can forbid physicians and staff from taking PHI off-site. “Some practices insist nothing can be taken home,” said Ericka Adler, a partner at the firm of Roetzel & Andress. “It is a pain, but it is safer to do that.”

That policy may not be practical for many practices, such as those that offer telemedicine, home care services, or diagnostic readings off-site. Adler has seen groups that have staff members take billing information home to catch up some work or doctors who spend their weekends away from the office completing medical records.

To help practices create policies and procedures to keep records safe out of the office, Adler starts by helping clients understand whether or not information needs to be taken off site, and then if so, who is allowed to take it and what kind of permission or process is in place for it to be removed.

One of the first things practices should do is set up a check-out/check-in system. This will inform managers which employees are taking information and, more importantly, whether or not it is returned. Managers should assign someone to track records on a periodic basis to ensure that anything that has left the office has been returned, Apgar said.

Training staff

Anyone who is taking records out of the office should be trained on policies and procedures regularly. Managers should never assume that common sense will keep staff from doing things they should not. Apgar related that he was once at a restaurant when a woman at a nearby table had paper medical charts spread all around her working on them. Anyone walking past could have seen them.

At a minimum, staff should be trained annually or upon hiring on procedures related to transporting records. Individuals who take records out of the office regularly should receive constant reminders of the rules, know organization's expectations of them, and have a signed policy on file. Managers should determine how employees will store records safely in their home. In addition, here are some simple but important points that managers should impress upon employees who take records off-site:

No one else should have access to records (not even a child who wants to play on a parent's computer).

Do not access PHI from a laptop through Wi-Fi in public places.

Do not leave a laptop in plain sight in a car if nobody is in it.

Always use strong passwords.

Return records as soon as they are finished with them.

If there is a breach that is making headlines, managers should meet with staff to discuss whether it could happen at their practice and how such a breach could be prevented. Managers also should send email reminders not to click on suspicious links or open unknown attachments.

Mobile devices

For offices that do most of their work electronically, there is a protocol for keeping records safe, including encryption and password protection. This is especially important when devices are being taken off site.

A number of inexpensive solutions to safeguarding PHI are available, including Microsoft BitLocker, a free encryption tool, Apgar noted. Practices also need to have a mobile device management solution in place. For example, a mobile device management solution should enable the practice to wipe records stored on the mobile device remotely should the device get lost or stolen.

Devices should also go through the same check-out/check-in process as paper records if staff are using practice-owned devices. A designated person should have a list of what is going out, what it is used for, and when it is returned. If the practice permits the use of personally owned devices for work purposes, there needs to be a formal process in place to approve use, require encryption of the personally owned mobile device and connect the mobile device to the practice's mobile device management solution so the device can be wiped if lost or stolen.

Lastly, an often overlooked item is USB drives, which are easy to lose. If practices allow employees to use these devices, they should make sure they are encrypted. Apgar said encrypted USBs are inexpensive and some programs, such as BitLocker, encrypt them for free.